* Because of the permissions on nolicense, unprivileged users can edit the
file to insert arbitrary commands into the script. Then, if AppTrack is
enabled (see below) and the trigger condition occurs (again, see below),
that code can be executed with superuser privileges.

* The use of predictably-named temporary files in a world-writeable
directory can allow local users to append, overwrite or destroy arbitrary
files, even if nolicense itself is made non-world-writeable.

These holes can only be exploited if the AppTrack functionality is enabled.
This feature is off by default.

Vulnerable Versions
-------------------

4.1 for Solaris/sparc - only version tested.

Workarounds
-----------

Change the permissions on /var/mfaslmf and rewrite nolicense. According to
the documentation, nolicense is provided as "an example" and the user "can
edit the nolicense script to your requirements." IMO, example code with
serious security holes should NOT be distributed. If you don't need this
feature, delete the script. Regardless of whether or not you need AppTrack
to work, you should be able to change the permissions on /var/mfaslmf to
something safer.